Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                     typo3 -- multiple vulnerabilities
                              2 January 2020


        AusCERT Security Bulletin Summary

Product:           typo3
Publisher:         FreeBSD
Operating System:  FreeBSD
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports 

typo3 -- multiple vulnerabilities

Affected packages
		typo3-8 < 8.7.30
		typo3-9 < 9.5.13


VuXML ID 1c9178aa-2709-11ea-9673-4c72b94353b5

Discovery 2019-12-17

Entry 2019-12-25

Typo3 core team reports:

    It has been discovered that the output of field validation errors in the 
Form Framework is vulnerable to cross-site scripting.

    It has been discovered that t3:// URL handling and typolink functionality
are vulnerable to cross-site scripting. Not only regular backend forms are 
affected but also frontend extensions which use the rendering with typolink.

    It has been discovered that the output table listing in the Files backend
module is vulnerable to cross-site scripting when a file extension contains 
malicious sequences. Access to the file system of the server - either directly
or through synchronization - is required to exploit the vulnerability.

    It has been discovered that the extraction of manually uploaded ZIP 
archives in Extension Manager is vulnerable to directory traversal. Admin 
privileges are required in order to exploit this vulnerability. Since TYPO3 v9
LTS, System Maintainer privileges are required as well.

    Failing to properly escape user submitted content, class QueryGenerator is
vulnerable to SQL injection. Having system extension ext:lowlevel installed 
and a valid backend user having administrator privileges are required to 
exploit this vulnerability.

    It has been discovered that classes QueryGenerator and QueryView are 
vulnerable to insecure deserialization. Requirements for successfully 
exploiting this vulnerability (one of the following): - having system 
extension ext:lowlevel (Backend Module: DB Check) installed and valid backend
user having administrator privileges - having system extension ext:sys_action
installed and valid backend user having limited privileges

    TYPO3 allows to upload files either in the backend user interface as well
as in custom developed extensions. To reduce the possibility to upload 
potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user 
submitted PHP scripts from being persisted. Besides that it is possible for 
any editor to upload file assets using the file module (fileadmin) or changing
their avatar image shown in the TYPO3 backend. Per default TYPO3 allows to 
upload and store HTML and SVG files as well using the mentioned 
functionalities. Custom extension implementations probably would also accept 
those files when only the fileDenyPattern is evaluated. Since HTML and SVG 
files - which might contain executable JavaScript code per W3C standard - 
could be directly displayed in web clients, the whole web application is 
exposed to be vulnerable concerning Cross-Site Scripting. Currently the 
following scenarios are known - given an authenticated regular editor is able
to upload files using the TYPO3 backend: - directly target a potential victim
to a known public resource in a URL, e.g. /fileadmin/malicious.svg or 
/fileadmin/malicious.html - using the TypoScript content object SVG 
(implemented in class ScalableVectorGraphicsContentObject) having renderMode 
set to inline for SVG files (available since TYPO3 v9.0) - custom 
implementations that directly output and render markup of HTML and SVG files 
SVG files that are embedded using an img src=malicious.svg tag are not 
vulnerable since potential scripts are not executed in these scenarios (see 
https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3 is not scope of 
this announcement since SVG icons need to be registered using an individual 
implementation, which is not considered as user submitted content.

    It has been discovered that request handling in Extbase can be vulnerable
to insecure deserialization. User submitted payload has to be signed with a 
corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - 
invalid or unsigned payload is not deserialized. However, since sensitive 
information could have been leaked by accident (e.g. in repositories or in 
commonly known and unprotected backup files), there is the possibility that 
attackers know the private encryptionKey and are able to calculate the 
required HMAC-SHA1 to allow a malicious payload to be deserialized. 
Requirements for successfully exploiting this vulnerability (all of the 
following): - rendering at least one Extbase plugin in the frontend - 
encryptionKey has been leaked (from LocalConfiguration.php or corresponding 
.env file). [source]


URL https://typo3.org/security/advisory/typo3-core-sa-2019-021/
URL https://typo3.org/security/advisory/typo3-core-sa-2019-022/
URL https://typo3.org/security/advisory/typo3-core-sa-2019-023/
URL https://typo3.org/security/advisory/typo3-core-sa-2019-024/
URL https://typo3.org/security/advisory/typo3-core-sa-2019-025/
URL https://typo3.org/security/advisory/typo3-core-sa-2019-026/
URL https://typo3.org/security/advisory/typo3-psa-2019-010/
URL https://typo3.org/security/advisory/typo3-psa-2019-011/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967